Right now, whoever plugs in a cable can access any intranet server freely. I want to change this behavior. But given that we run not only Windows machines but also Linux clients, I can't just use NAP to restrict DHCP access.

Here's my thoughts:

Perhaps all users should do a AD authentication before granting him network access. But that's not integrated with the router.

Checked allowed MAC addresses from a white list. But the perpetrator could just listen for traffic then collect authorized MAC address and use them later.

It seems that you're trying to solve a physical security problem with a software. If people can freely walk in to your premises and plug/unplug the cables they want, you have bigger problems.
–
Adnan - AdiMay 15 '13 at 10:48

4 Answers
4

Disable unused ports (which should obviusly be the first line of defense)

Using port security on your switch makes it at least necessary that an attacker finds out a certain MAC address and connects to a specific port, which will stop most people from plugging their home devices into the company network. In addition to this you may activate a "suspend" mode for ports: The 1st time an invalid MAC address is detected on a port it will shut down and has to be reactivated manually by an admin.

Radius would obviously the most fitting solution for your problem. You can configure your Windows DC as a radius authentication server and then have your switches forward the authentications request using 802.1X. The result would be that anybody trying to access the network would have to enter their username and pw used on the DC. If it is not correct they will be isolated in a separate restrictive VLAN. Disadvantage: You need hardware that supports 802.1X and have to understand VLAN concepts. I will not go into details of RADIUS here. If you are interested feel free to ask.

Does RADIUS work on Ethernet? I thought it was only for wifi.
–
yzTMay 15 '13 at 11:31

@yzT Yes, it does. It was originally designed for dial-up access authentication, but it can now be used for both wired and wireless network authentication. On wired networks it's used for exactly this...Blocking non-domain joined devices from gaining access to the network.
–
XanderMay 15 '13 at 12:51

@Xander As it is being said: "Everyday I learn something new" :D
–
yzTMay 15 '13 at 13:43

Ideal setup is to treat employees differently and the outsiders who come to office differently.All the employees should be put on a different network in a different firewall zone say trust(10.2.0.0/16) and the outsiders on another network on another firewall zone say trust2 (10.3.0.0/16)

You can provide access to the internet from trust and then whitelist the IP addresses as and when required from trust2(you should provide static addresses). This will give you better flexibility to on the policies for the organization
(for eg: if you want to give unrestricted internet access to employees and block certain sites from non employees)

Yet another option would require help from your firewall.I have worked on Juniper Netscreens and they allowed authentication on the rule.So basically you configure authentication on the firewall rule that allows internet access and users will have to enter a username and password to get through.This is device dependent and you will need to check your firewall for such a feature.

If someone is able to freely plug cables, then they're most likely able to unplug other cables and plug their own. Disabling ports won't solve the problem. Worst case, they can cut the cables and connect themselves. This is not an answer, it can be summarized in a comment to ask the OP about their physical security.
–
Adnan - AdiMay 15 '13 at 10:49

NAP would be your best bet and is available for Linux and Mac clients. You can also "register" devices that do not have NAP capability manually or mostly automated with a portal page. Either way, you should, as others have pointed out, work on your physical security if users are able to freely unplug machines.